Europe’s False Sense of Cyber Security

22 August 2017

Once upon a time, the scariest IT Security stories concerned the US almost exclusively. Such high-profile debacles as the Target outage, gained worldwide headlines because of large fines and senior executive departures. As the list of corporations affected by the Dyn outage shows however, there is no room for complacency elsewhere. DNS security issues are truly global in scope. Our third annual DNS Threat Survey was also global in scope and pointed out the differences in attitude around the world.

In Europe, we had some 400 respondents, half of them at C-Level or above. The findings have some stark lessons for IT leaders and their European teams. More than others, European IT Professionals have a lot of change coming their way. They face a tsunami of EU legislation, like the Payment Services Directive (PSD2) and the General Data Protection Regulation (GDPR), coming into force the 13th January and 25th May 2018 respectively as well as, where applicable, Brexit.

Despite this, most Europeans surveyed believe they are protected from DNS security issues. The evidence in this year’s report proves otherwise.

DNS recognized as business critical for EU companies

European IT execs’ awareness of how crucial the DNS layer is in their IT infrastructure was high, with some 93% recognising DNS security as business-critical. Organizations in Europe also lead the world in the logging and analysis of DNS traffic, with some 94% doing so. Compare this to North America where some 11% goes without scrutiny.

Total downtime of cloud services reported by Europeans was significant at 36%. However, this was better than the 44% from North America and 46% from the APAC region. Europe also suffered less from compromised websites and in-house application downtime, as its organizations were affected on average respectively 6% and 4% less than other regions.

Although it is very strongly attacked

While there is high awareness of the criticality of DNS at a high level in Europe, probing deeper shows a lack of detailed knowledge. Only 34% are aware of the top five DNS vulnerabilities, which are DNS-based malware, DDoS attacks, Data Exfiltration, Cache poisoning and Zero Day vulnerabilities. This contrasts with 39% of organizations in North America and 45% in APAC.

Despite applying more security patches than the rest of the world, assuring security of DNS is still a major headache. Some 38% of European organizations were subject to between five and ten DNS attacks in the last 12 months, more than double the frequency of North Americans, where only 18% suffered this many and more too than APAC where 31% were attacked this frequently.

When things do go wrong, attacks are likely to be more serious and expensive to fix. On average, 22% of organizations had sensitive customer information stolen and 18% had intellectual property (IP) stolen. Taken together these data exfiltration figures were the world’s worst. While in APAC a similar 18% also suffered stolen customer data, the intellectual property figure was lower at 12% and in North America figures were at 13% and 10% respectively.

Costs too are higher. The average DNS attack was estimated to cost European organizations $590,000 compared to $370,000 for Asia and perhaps surprisingly an estimate of just $363,000 for North America. This makes a DNS attack in London on average 59.5% more likely to generate a revenue loss than one in Tokyo and 62.5% than one in New York.

The issue – Europeans deluding themselves?

European IT teams can rectify issues broadly as fast as the rest of the world, with 52% taking almost a full business day (six hours) or more. Unfortunately, they do so less efficiently than North America, requiring more than four members of staff in 37% of cases, compared to 27% in North America. While four or more team members are required 43% of cases in APAC, at least the lower labour costs here reduce the cost to remediate.

For data exfiltration attacks Europe trailed the pack with 23% of respondents taking more than four days to identify them, more than enough time to create major issues, which could mean organizations are in breach of Europe’s wide-ranging data protection regulations. As these regulations bite, their requirement to notify regulators and their customers means brand damage is highly likely and penalties very severe (a fine for GDPR non-compliance could cost a company up to €20M or 4% of total global revenue of the preceding year, whichever is greater ; see Why Businesses Should Fall in Love with GDPR).

It is the ‘laissez-faire’ attitude of European respondents that is most shocking in the DNS Threat Survey. Not only are they more likely to suffer brand damage and data exfiltration, they also stand to lose a lot more in each attack and it will require more manpower to remedy the damage. While it is true that Europe boasts the best awareness of the importance of DNS to IT infrastructure, once there is an attack, IT execs from other regions can respond more efficiently. This hands the advantage to their global rivals.